Abstract
Modern computer network defense systems rely primarily on
signature-based intrusion detection tools, which generate alerts
when patterns that are pre-determined to be malicious are
encountered in network data streams. Signatures are created
reactively, and only after in-depth manual analysis of a network
intrusion. There is little ability for signature-based detectors to
identify intrusions that are new or even variants of an existing
attack, and little ability to adapt the detectors to the patterns
unique to a network environment. Due to these limitations, the
need exists for network intrusion detection techniques that can
more comprehensively address both known unknown networkbased
attacks and can be optimized for the target environment.
This work describes a system that leverages machine learning to
provide a network intrusion detection capability that analyzes
behaviors in channels of communication between individual
computers. Using examples of malicious and non-malicious
traffic in the target environment, the system can be trained to
discriminate between traffic types. The machine learning
provides insight that would be difficult for a human to explicitly
code as a signature because it evaluates many interdependent
metrics simultaneously. With this approach, zero day detection is
possible by focusing on similarity to known traffic types rather
than mining for specific bit patterns or conditions. This also
reduces the burden on organizations to account for all possible
attack variant combinations through signatures. The approach is
presented along with results from a third-party evaluation of its
performance.
